1. Field of the Disclosure
The present disclosure relates to an antivirus system and, more specifically, to a virus removal system.
2. Brief Description of the Related Art
Computer viruses are a major problem in modern day computing. For example, a computer virus may be a program (or some unit of code, e.g., instructions to which the computer responds, such as a code block, code element or code segment) that may attach to other programs and/or objects, may replicate itself, and/or may perform unsolicited or malicious actions on a computer system. Although described herein as relating to computer viruses, the present disclosure may be applied to any type of malicious code capable of modifying one or more portions of a computer's resources.
Antivirus systems preferably find or detect viruses and then cure the affected file, memory, boot sector, etc. One of the techniques viruses use to complicate their detection and cure is to encrypt parts of the virus body or the file that is going to be infected so that it is harder for an antivirus system to decrypt it and cure the file. This makes it more difficult for the antivirus system to detect and reverse the infection process to cure the file.
The encryption performed by some viruses may involve complex mathematical or logical operations that are performed on the virus code or victim file data that lead to visually unreadable virus code so that it is difficult and sometimes impossible to analyze and identify the viral code inside.
In addition, since encryption can rely on some numerical key that can change from one infected sample to another, pattern matching may not be sufficient to identify the virus body. The antivirus engine should be capable of decrypting the virus first before it can match it against a database of known viruses or otherwise analyze it.
In order to perform its intended purpose, the virus itself should be capable of decrypting encrypted areas of code or data so that it can use it. An antivirus system can sometimes analyze the part of virus code that is responsible for the decryption. The antivirus system can then use the same decryption algorithm that the virus itself uses to decrypt encrypted areas so that the antivirus system can continue to analyze the virus file further. This can sometimes be done by emulating the virus body in a very safe environment that does not allow any malicious actions the virus may take to be executed on a real computer, but only on “virtual machine” that is imitated, for example, by the antivirus system.
Encryption techniques use a key that is used to transform original code or data to an unreadable, encrypted state. The key is usually some integer or real number, but can also be some string of characters. The key is used to encrypt data and may be used by the virus to decrypt the encrypted data, otherwise the data would be useless to the virus.
New types of destructive viruses are constantly emerging. For example, a virus referred to as Win32/Magistr.B.Worm has emerged. This virus although relatively easily detected, can be difficult to remove. This type of virus encrypts part of the host file's entry-point code. For this type of virus to be effectively removed and for the code to be restored, a decryption of this code should take place. However, with this type of virus, the key for the encryption is not stored inside the virus body like some viruses do. Instead, the encryption key for this type of virus is calculated using the machine's name in the Windows operating system. When copying an infected file to another machine, it is very difficult to retrieve that key and to decrypt the code when the infected machines name is unknown.
Accordingly, viruses such as the Win32/Magistr.B virus, for example, use encryption techniques in different ways. Along with encrypting the body of the virus itself, to complicate detection, the virus also encrypts part of the original file to complicate a cure, possibly using the computer name as the key. An antivirus system should be capable of decrypting that part of the original file to completely restore the file to its pre-infected state.
More specifically, as mentioned above, viruses sometimes store the key used to encrypt the encrypted part of a file within the same infected file. However, viruses such as the Win32/Magistr.B virus, for example, do not store the encryption key in the file, but instead use, for example, the “computer name” which it retrieves from the system itself as the encryption key. This counts on the computer name not changing, so that it is constant for the given machine, and can be safely used to decrypt data in files infected on that machine.
The problem is that when antivirus systems need to cure (and therefore decrypt parts) of such an infected file, it also needs to access the computer name of the machine the file was infected on to get the key and be able to decrypt encrypted parts of data so that they can be restored. However, retrieving the key and using it is very unsafe and is not always possible because when antivirus systems scan files on a network, for example, the antivirus system program itself may be located on a different machine (e.g., the network server), and not on the infected work station machine itself. Accordingly, the antivirus system cannot always reliably retrieve the computer name of the infected machine.
Another problem is that when an infected file is moved out of the machine it was infected on (e.g., sent to an antivirus team for analysis, or the computer name was changed by user on the infected machine) it may not be possible to determine the original computer name.